@dugleelabs/copair 1.6.0 → 1.8.0

package/dist/api.d.ts

@@ -81,6 +81,10 @@ declare const ProviderConfigSchema: z.ZodObject<{
     }, z.core.$strip>>;
     timeout_ms: z.ZodOptional<z.ZodNumber>;
 }, z.core.$strip>;
+declare const SmallModelsConfigSchema: z.ZodObject<{
+    model_ids: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    max_tool_calls: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>;
 declare const CopairConfigSchema: z.ZodObject<{
     version: z.ZodNumber;
     default_model: z.ZodOptional<z.ZodString>;
@@ -172,9 +176,14 @@ declare const CopairConfigSchema: z.ZodObject<{
         web_search_timeout_ms: z.ZodDefault<z.ZodNumber>;
         provider_timeout_ms: z.ZodDefault<z.ZodNumber>;
     }, z.core.$strip>>;
+    small_models: z.ZodOptional<z.ZodObject<{
+        model_ids: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        max_tool_calls: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>>;
 }, z.core.$strip>;
 type CopairConfig = z.infer<typeof CopairConfigSchema>;
 type ProviderConfig = z.infer<typeof ProviderConfigSchema>;
+type SmallModelsConfig = z.infer<typeof SmallModelsConfigSchema>;
 
 type ProviderFactory = (config: ProviderConfig, model: string) => Provider;
 declare class ProviderRegistry {
@@ -216,21 +225,42 @@ declare class ToolRegistry {
     getAllDefinitions(): ToolDefinition[];
 }
 
+/**
+ * Path-level permissions — model-agnostic.
+ * Applies regardless of which tool the model uses (read, bash cat, grep, etc.).
+ * write permission implies read.
+ */
+interface PathPermissions {
+    read: string[];
+    write: string[];
+}
 interface AllowRules {
     /** bash entries: exact match, or prefix if the pattern ends with " *" */
     bash: string[];
     /**
      * git entries: matched against the args string.
-     * Entry is the subcommand (e.g. "diff") — automatically covers all
-     * flags for that subcommand (e.g. "diff --cached", "diff HEAD~1").
+     * Entry is the subcommand (e.g. "diff") — covers all flags for that subcommand.
      */
     git: string[];
     /**
-     * write / edit entries: glob patterns matched against the file path.
-     * Supports * (within a segment) and ** (across segments).
+     * Tool-specific read/write/edit entries (kept for backward-compat and
+     * fine-grained tool control). For multi-model setups, prefer `paths:`.
      */
+    read: string[];
     write: string[];
     edit: string[];
+    /**
+     * Path-level permissions — the preferred way to allow cross-repo access.
+     * Works regardless of which tool the model chooses to use for an operation.
+     *
+     * Example allow.yaml:
+     *   paths:
+     *     read:
+     *       - "../../other-repo/**"
+     *     write:
+     *       - "../../shared-output/**"
+     */
+    paths: PathPermissions;
 }
 declare class AllowList {
     private rules;
@@ -238,11 +268,25 @@ declare class AllowList {
     /**
      * Returns true when the operation is explicitly listed and should bypass
      * the approval prompt. Called by ApprovalGate before prompting.
+     *
+     * Check order per tool:
+     *   1. Tool-specific entries (bash:, git:, read:, write:, edit:) — fine-grained
+     *   2. Path-level entries (paths.read / paths.write) — model-agnostic
      */
     matches(toolName: string, input: Record<string, unknown>): boolean;
     private matchBash;
+    /**
+     * Path-level bash matching: extract path tokens from the command, classify
+     * as read or write intent, then check against paths.read / paths.write.
+     * All path tokens in the command must be covered for the check to pass.
+     */
+    private matchBashByPath;
     private matchGit;
     private matchPath;
+    /**
+     * Check filePath against paths.read or paths.write (write implies read).
+     */
+    private matchPathAgainstPermissions;
 }
 
 interface ToolInfo {
@@ -275,15 +319,27 @@ interface TokenUsage {
     contextPercent?: number;
 }
 type ApprovalAnswer = 'allow' | 'always' | 'deny' | 'all' | 'similar';
+/** Pre-approval diff shown at the approval prompt (before execution). */
+interface ApprovalDiffPreview {
+    filePath: string;
+    oldContent: string | null;
+    newContent: string;
+    diffText: string;
+}
 interface ApprovalRequest {
     toolName: string;
     input: Record<string, unknown>;
     summary: string;
     index: number;
     total: number;
-    diff?: DiffInfo;
+    /** Pre-approval diff preview (shown before user approves). */
+    diff?: ApprovalDiffPreview | null;
     /** Present when a bash command references a sensitive system path. */
     warning?: string;
+    /** Present when a bash command references a path outside the project root. */
+    crossRepoBashPath?: string;
+    /** Present when a read/glob/grep targets a path outside the project root. */
+    crossRepoReadPath?: string;
 }
 interface AgentBridgeEvents {
     'stream-text': (text: string) => void;
@@ -297,11 +353,22 @@ interface AgentBridgeEvents {
     'approval-request': (request: ApprovalRequest, respond: (answer: ApprovalAnswer) => void) => void;
     'diff': (diff: DiffInfo) => void;
     'usage': (usage: TokenUsage) => void;
-    'thinking-start': () => void;
+    'thinking-start': (label?: string) => void;
     'thinking-stop': () => void;
     'turn-complete': () => void;
     'error': (message: string) => void;
-    'input-request': (respond: (input: string) => void) => void;
+    'input-request': (prompt: string, respond: (input: string) => void) => void;
+    'context-limit-warning': () => void;
+    'context-limit-action': (respond: (action: 'compact' | 'abort') => void) => void;
+    'task-complete': (data: {
+        summary: string;
+    }) => void;
+    'max-turn-warning': (data: {
+        limit: number;
+    }) => void;
+    'unclear-signal': (data: {
+        message: string;
+    }) => void;
 }
 type EventName = keyof AgentBridgeEvents;
 /**
@@ -335,8 +402,8 @@ declare class AgentBridge extends EventEmitter {
  * input_summary is always redacted and truncated to ≤ 200 chars before
  * writing so that raw secrets never appear in the audit log.
  */
-type AuditEvent = 'session_start' | 'session_end' | 'tool_call' | 'approval' | 'denial' | 'path_block' | 'schema_rejection' | 'bash_sensitive_path';
-type AuditOutcome = 'allowed' | 'denied' | 'error';
+type AuditEvent = 'session_start' | 'session_end' | 'tool_call' | 'approval' | 'denial' | 'path_block' | 'schema_rejection' | 'bash_sensitive_path' | 'bash_cross_repo' | 'cross_repo_read';
+type AuditOutcome = 'allowed' | 'denied' | 'error' | 'flagged';
 interface AuditEntry {
     ts: string;
     event: AuditEvent;
@@ -386,7 +453,7 @@ declare class ApprovalGate {
      * The agent never calls this. ToolExecutor calls it. The agent only
      * sees the resulting ExecutionResult.
      */
-    allow(toolName: string, input: Record<string, unknown>): Promise<boolean>;
+    allow(toolName: string, input: Record<string, unknown>, diffPreview?: ApprovalDiffPreview): Promise<boolean>;
     /** Bridge-based approval: emit event and await response from ink UI. */
     private bridgePrompt;
     /** Legacy approval prompt: reads from /dev/tty directly (not stdin).
@@ -455,7 +522,15 @@ declare class PathGuard {
      * @param mustExist true for read operations (file must exist); false for
      *                  write/edit operations (parent dir must exist).
      */
-    check(rawPath: string, mustExist: boolean): PathGuardResult;
+    check(rawPath: string, mustExist: boolean, opts?: {
+        skipBoundaryCheck?: boolean;
+    }): PathGuardResult;
+    /**
+     * Check whether a raw path resolves to somewhere inside the project root.
+     * Used by the tool executor to flag cross-repo references before the gate fires.
+     * Returns false on any resolution error — treat as outside.
+     */
+    isInsideProject(rawPath: string): boolean;
     private isDenied;
     private isAllowed;
     /**
@@ -655,8 +730,43 @@ declare class ConversationManager {
     static fromJSONL(data: string): Message[];
 }
 
+interface ParsedToolCall {
+    id: string;
+    name: string;
+    arguments: string;
+}
+interface ToolCallFormatter {
+    readonly name: string;
+    readonly markupPattern: RegExp;
+    /** Opening tag for streaming suppression (e.g. `<tool_call>`). When set,
+     *  the renderer buffers across chunks instead of applying a per-chunk regex. */
+    readonly openTag?: string;
+    readonly closeTag?: string;
+    /** When true, the streaming filter also suppresses all text that follows the
+     *  first complete tool-call block in a response.  Use for models that
+     *  hallucinate post-tool text (e.g. "It seems there was an issue…"). */
+    readonly suppressAfterMatch?: boolean;
+    parse(text: string): {
+        toolCalls: ParsedToolCall[];
+        remainingText: string;
+    };
+    buildSystemPrompt(tools: ToolDefinition$1[]): string;
+    /** Return a minimal example tool call in this formatter's markup language. */
+    exampleCall(): string;
+}
+
 type FormatName = 'dsml' | 'qwen-xml' | 'fenced-block';
 
+declare class SmallModelHarness {
+    readonly isSmallModel: boolean;
+    private config;
+    constructor(modelId: string, config?: SmallModelsConfig, forceOverride?: boolean);
+    get maxToolCalls(): number;
+    getSystemPromptAddition(): string | null;
+    getPerTurnReminder(): string | null;
+    getFormatHint(formatter: ToolCallFormatter): string | null;
+}
+
 interface AgentOptions {
     systemPrompt?: string;
     maxTokens?: number;
@@ -664,6 +774,9 @@ interface AgentOptions {
     toolCallFormat?: FormatName;
     bridge?: AgentBridge;
     pluginManager?: PluginManager;
+    /** Fraction of maxTokens at which to warn about context limit (0–1, default 0.9). */
+    contextLimitThresholdPct?: number;
+    harness?: SmallModelHarness;
 }
 declare class Agent {
     private provider;
@@ -677,6 +790,7 @@ declare class Agent {
     private formatter;
     private textFilter;
     private pluginManager?;
+    private harness?;
     constructor(provider: Provider, model: string, toolRegistry: ToolRegistry, executor: ToolExecutor, options?: AgentOptions);
     get model(): string;
     getConversation(): ConversationManager;
@@ -693,6 +807,16 @@ declare class Agent {
         /** Input tokens from the last API call — reflects actual context window usage. */
         lastInputTokens: number;
     }>;
+    /** Prompt the user for input and return their answer (used by ask_user intercept). */
+    private collectUserAnswer;
+    /**
+     * Detect whether the model likely hit its context limit this turn.
+     * Two signals:
+     *   1. Token threshold: input tokens ≥ contextLimitThresholdPct of maxTokens
+     *   2. Truncation heuristic: text present, no tool calls, and response ends
+     *      without terminal punctuation (sentence was cut off mid-stream)
+     */
+    private detectContextLimit;
 }
 
 interface SessionMetadata {